---
id: index
title: Hooks
---

Hooks execute logic after a flow (login, registration, settings, ...):

- *After login:* is executed after a login was successful.
- *After registration:* is executed when a registration was successful:
  - *Before persisting:* runs before the identity is saved in the database.
  - *After persisting:* runs after the identity was saved in the database.
- *After settings:* is executed when a settings was successful:
  - *Before persisting:* runs before the identity is saved in the database.
  - *After persisting:* runs after the identity was saved in the database.

## Login

### After

```yaml title="path/to/my/kratos.config.yml"
selfservice:
  flows:
    login:
      after:
        password:
          - hook: revoke_active_sessions
```

#### `revoke_active_sessions`

The `revoke_active_sessions` will delete all active sessions for that user on
successful login:

```yaml title="path/to/my/kratos.config.yml"
selfservice:
  flows:
    login:
      after:
        <strategy>:
          - hook: revoke_active_sessions
            # can not be configured
```

## Registration

Hooks running after successful user registration are defined per
Self-Service Registration Strategy in ORY Kratos' configuration file.

### After

```yaml title="path/to/my/kratos.config.yml"
selfservice:
  flows:
    registration:
      after:
        oidc:
          - hook: session
        password:
          - hook: session
```

#### `session`

Adding the `session` hook signs the user immediately in once the account has been created.
It runs after the identity has been saved to the database.

:::info

Using this job as part of your post-registration workflow makes your system
vulnerable to
[Account Enumeration Attacks](../../concepts/security.md#account-enumeration-attacks)
because a threat agent can distinguish between existing and non-existing
accounts by checking if `Set-Cookie` was sent as part of the registration
response.

:::

It sends  a `Set-Cookie` header which contains the session
cookie. To use it, you must first define one or more (for secret rotation)
session secrets and then use it in one of the `after` work flows:

```yaml title="path/to/my/kratos.config.yml"
secrets:
  cookie:
    - something-super-secret # The first entry will be used to sign and verify session cookies

    # All other entries will be used to verify session cookies that were signed before "something-super-secret" became
    # the current signing secret.
    - old-session-secret
    - older-session-secret
    - ancient-session-secret

selfservice:
  flows:
    registration:
      after:
        <strategy>:
          - hook: session
            # can not be configured
```

## Settings

Hooks running after successfully updating user settings and are defined per
Self-Service Settings Strategy in ORY Kratos' configuration file.

### After

```yaml title="path/to/my/kratos.config.yml"
selfservice:
  flows:
    settings:
      after:
```

No hooks are available for this flow at the moment.
